Car Industry In Crisis Over AI and Hackers

In many instances, researchers and engineers have found ways to hack into modern, Internet-capable cars, as has been documented and reported several times.

One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. This hack and those that have come before have mostly been reliant on specific vulnerabilities in specific makes and/or brands of cars. And once reported, these vulnerabilities were quickly resolved.

But what should the security industry’s response be when a hack is found that is not only successful in being able to drastically affect the performance and function of the car, but is also stealthy and vendor neutral? Enter the hack that does just that, one that has been discovered and proven to be effective by the collaborative research efforts of Politecnico di Milano, Linklayer Labs, and Trend Micro's Threat Research (FTR) team.

It is currently indefensible by modern car security technology, and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made.

Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade. Here are some anticipated initial questions and answers:

Another “car hacking” proof of concept? What’s new about it?

What’s new is that it’s an attack that disables a device (e.g., airbag, parking sensors, active safety systems) connected to the car’s device network in a way that is invisible to state-of-the-art security mechanisms.

What is the main takeaway from this research?

Gaining access to someone else’s vehicle has become a common situation, with many legitimate use cases. It is time that standardisation bodies, decision makers, and car manufacturers take this change into account, and revise the design of the cyber-physical systems that govern future automobiles in order to secure them.

So some drivers believe that Self-Driving Cars are a Hacker's dream? Think again…

Self-driving cars feel like they should provide a nice juicy target for hackers.

After all, a normal car has a driver with their hands on the wheel and feet on the pedals. Common sense suggests this provides a modicum of protection against a car takeover which a self-driving car, or even one with just the sort of assisted driving features already found on the road today, lacks.

But that’s the wrong way around, says Craig Smith, a security researcher and car hacker. “One interesting thing about fully self-driving cars is they’re unintentionally more secure, which is really not what you would expect at all.”

Alongside his day job as the head of transportation research at security firm Rapid7, Smith runs the Car Hacking Village at Defcon, the world’s largest hacking convention, in Las Vegas.

Spend any time there, and you’ll start giving sideways glances to anything weird your car does. Now in its third year, the village is the nexus of a community capable of remotely hacking into a jeep to cut the breaks and fooling a Tesla’s autopilot into thinking there’s a phantom pillar in front of it.

At first automotive manufacturers saw hackers the way much of the world still does: irritations at best, and hardened criminals at worst, maliciously trying to break their products and endanger the world.

These days, attitudes have softened, with hackers seen as potential allies, or at least uneasy partners, in the war against cyber-crime. The bugs that let hackers into a car are there from the start; it’s better if someone like Smith finds them rather than an unscrupulous gangster who wants to start experimenting with in-car ransomware.

The most obvious example of the thawing of attitudes was a Mazda 2 rolled in by the Japanese carmaker for the denizens of Defcon to have their way with. But it’s only halfway there, Smith warns: “I like that Mazda’s here, but everybody has a lot of work to do in this particular field, in terms of being more open about their stuff.”

Mazdas are good cars to learn from, he explains, because all the electronic systems send instructions around the car through one bottleneck, the high-speed bus. In most cars, the bus is reserved for the most safety critical messages, such as steering or braking, meaning it’s not really the sort of thing you want to mess around with. But you can learn how the bus works by fiddling with something as mundane as the windscreen wiper commands on a Mazda.

Those sorts of considerations still form the bread and butter of car hacking research right now. The inner workings of most cars are obfuscated, complex and locked up, leaving researchers struggling to even understand what an in-car computer looks like when it’s working, let alone how to start pushing the boundaries of what it can do.

Obscurity might bring safety for a while, but it also renders security research expensive and time-consuming. The really dangerous flaws are likely to be discovered, not by hobbyist researchers, but by those who stand to make money from hacking.

One of the biggest stories from the sector in 2015 and 2016 was the hacking of a Jeep. In 2015, two researchers from IOActive discovered a way to hack their way from the internet-connected entertainment system of the car into the low-level system which controls the vehicle.

That let them send commands to brake or steer the car wirelessly prompting a mass recall of affected models. In 2016 the pair presented an update at Defcon that illustrated just how much more they could have done after slowly reverse engineering the Jeep’s low-level system.

They went from only being able to break control the car when it was travelling less than 5 miles per hour, for instance, to being able to control the speed of the car at will.

That distinction is also why Smith is counterintuitively optimistic about the future of cars, as they move from human- to computer-controlled. Smith explains:

“The way cars work today is you have a few sensors. You can see how they work in a lot of commercials: a car is backing up, or parking, it sees a kid in a driveway, and it stops.

“You have one signal coming in, saying ‘I see an object, stop the car’. It’s a computer overriding a human. The human is saying ‘I’m going to drive, I’m giving it gas’, and not only is it ignoring it, the car is doing the opposite of what the human says. ‘That’s nice, I’m going to stop’.”

Those signals are sent through that same low-level system that hackers have been penetrating for years. It is called the Can bus, short for Controller Area Network.

It’s generally the case that once a hacker has access to it, the rest of the game is largely reverse-engineering what signals are sent when. As one security engineer for a major car firm joked, “it’s called the can bus, not the can’t bus, because once you’ve got access to it, there’s nothing you can’t do”.

Smith explains that from a hacker’s point of view having just one sensor makes it much easier to fake a signal or event to fool the car into doing something. But self-driving cars are, by and large, smarter. Smith said: “In a self-driving world, fully self-driving, they have to use lots of different sensors.”

That’s because simple proximity-detection doesn’t cut it if you need a car to drive in different conditions and through different streets without human intervention. How, for example, do you tell the difference between a pile of leaves lying in the road – safe to drive through – and a child who has fallen off their bike? No single-reading depth detector can tell you that.

“Each of the sensors used in autonomous driving comes to solve another part of the sensing challenge,” said Danny Atsmon, the head of self-driving vehicle testing company Cognata, who explained that cameras on autonomous cars have been confused by an RV with an image of a landscape on it or by a car with a picture of a bike.

“Lidar cannot sense glass, radar senses mainly metal and the camera can be fooled by images, hence, the industry decided on a sensor redundancy and sensor fusion approach to solve that, but each of the edge cases that we present here raises the bar,” said Atsmon.

That fusion of sensor doesn’t just help get a better picture of the world, it also, accidentally, solves part of the security problem.

“The interesting thing that happens is that each sensor doesn’t trust the other,” Smith says. The radar no longer has the ability to bring the car to a juddering halt, for instance, because the camera and Lidar might overrule its findings. To convincingly fake all the systems at once, you can’t just feed in a few false signals: you have to model an entirely fictitious world.

“It’s way closer to the way humans figure out whether something is an illusion or not. And that’s harder for a hacker to deal with. Even the most secure corporate networks tend not to take that sort of approach: once you’re in the secure zone, they assume you’re one of the good guys.”

The future won’t be a hack-free heaven. Software is complex, mistakes happen, and there are other ways to sneak through the code of self-driving cars, even if that entails hacking, not the car, but the world itself. Take the researchers who printed fake Stop signs that are readable by a human but not a car.

But it looks like sitting in a car controlled by a computer may at least be safer than sitting in a car that thinks it’s controlled by you. The sooner this stuff gets solved, the better.  

Trend Micro:      Guardian:

You Might Also Read:

Cybersecurity Rules For Autonomous Vehicles:

What Will The Car Of 2040 Be Like?:

 

« ‘Decoys’ To Reinforce Japan’s Defenses Against Cyber-attacks
Will GDPR Protect Privacy Or Just Lead To More Hacks? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Wizard Computing

Wizard Computing

Wizard Computer Services is a full service IT solutions provider that offers managed services, consultation, installation, and support to small and large businesses in New England.

Data Resolve Technologies

Data Resolve Technologies

Data Resolve offer a mechanism through which customers can detect and tackle various kinds of sensitive activities pertaining to data loss and data theft.

Parsons

Parsons

Parsons has developed a converged security offering that combines cybersecurity, integrated network solutions, and critical infrastructure protection.

SANS CyberStart

SANS CyberStart

SANS CyberStart is a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cyber security.

Silensec

Silensec

Silensec is a management consulting, technology services and training company specialized in information security.

CARICERT

CARICERT

CARICERT is the National Cyber Emergency Response Team of Curacao in the Caribbean.

Department of Justice & Equality - Cybercrime Division

Department of Justice & Equality - Cybercrime Division

The Cybercrime division is responsible for developing policy in relation to the criminal activity and coordinating a range of different cyber initiatives at national and international level.

Field Effect Software

Field Effect Software

Field Effect Software build sophisticated and integrated IT security, threat surface reduction, training and simulation capabilities for enterprises and small businesses.

Content+Cloud

Content+Cloud

Content+Cloud is a leading technology services business and Managed Services Provider (MSP) with a genuine passion for helping your organisation to succeed, whatever your ambitions.

European Cyber Competence Network

European Cyber Competence Network

The purpose of the European Cyber Competence Network is to retain and develop the cybersecurity technological and industrial capacities of the EU necessary to secure its Digital Single Market.

Query.ai

Query.ai

At Query.AI, we are committed to helping companies unlock the power of their security data, so they are empowered to meet security investigation and response goals while simultaneously reducing costs.

HarfangLab

HarfangLab

HarfangLab develops a hunting software to boost detection and neutralization of cyberattacks against companies endpoints.

NetScout Systems

NetScout Systems

NetScout assures digital business services against disruptions in availability, performance, and security.

CloudDefense.AI

CloudDefense.AI

CloudDefense.AI is an industry-leading multi-layered Cloud Native Application and Protection Platform (CNAPP) that safeguards your cloud infrastructure and cloud-native apps,

Levio

Levio

Levio is a digital native business and technology consulting firm. As a true partner from start to finish, our goal is a long-lasting transformation that’s right for your business model.

Togggle

Togggle

Togggle offers seamless identity verification solutions and distributed infrastructure, enabling organizations to combat fraud and ensure compliance with data protection regulations.